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REMARKS 

Reconsideration and allowance of the above-referenced application are 
respectfully requested. After entry of this amendment, claims 1-7; 14-16 and 21-24 will 
be pending in the case. 

Applicant herewith affirms the election of the group 1 claims 1-16 and 21-22. 

The undersigned apologizes for the failure to provide the non patent literature 
cited on the IDS. A duplicate copy of this non patent literature is attached. 

Claims 1, 14-16 and 21-22 stand rejected under 35 U.S.C. 102 as allegedly 
being unpatentable based on Paul. This contention is respectfully traversed, and it is 
respectfully suggested that the rejection does not meet the Patent Office's burden of 
providing a prima facie showing of unpatentability. 

Paul shows a system in which the e-mail filter filters the incoming e-mail based 
on fields of data within the e-mail itself; see column 3 lines 55-65, and also heuristically; 
see column 4 lines 12-21. The e-mail is marked based on the relationship between its 
contents and the data. Each e-mail is then displayed in a specified fashion based on its 
display code, see column 4 lines 25-27. 

The remaining part of the disclosure disclosures various aspects of the filtering, 
both based on keywords and characteristics, and the display. Notably, one of the 
display codes, described for example column 9 lines 3-5, represents that the e-mail has 
"junk" status. While the e-mails are filtered and displayed in this way, there is no 
teaching or suggestion of anything suggesting the specific different techniques of 
deleting the e-mail, as defined by claim 1 . 

Specifically, claim 1 requires receiving an electronic e-mail message displaying 
information in a way that allows one of: 
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PAGE 7/17 * RCVD AT 3/3/2004 1 :53:43 PM [Eastern Standard TlroeJ * 8VR:U8PTO-EFXRF-1/4 * DNI8:8729306 * CSID: 8586783082 • DURATION (mm-ss):08.14 





From: SCH 8586785082 To: Fax* 1-703-872-9306 



Date: 3/3/2004 Time: 10:55:50 AM 



Page 8 of 17 



AppL No. 
Filed 



09/690,002 
October 16,2000 



A) deleting the message without indicating whether it is spam or not 

B) deleting the message while indicating that it is spam, or 

C) deleting the message while indicating that it is not spam. 

Hence, this represents 3 DIFFERENT ways of deleting messages from the 
mailbox. Two of the three ways (in the list above, B and C) tell the system further 
information about the status of the message. 

The official action correctly points out that Paul displays different categories 
about the message, i.e. whether the message Is junk or not. However, Paul teaches 
nothing about ways to delete the message, much less the specific deleting the 
message without indicating whether it is spam or not deleting the message while 
indicating that it is spam, or deleting the message while indicating that it is not spam 
required by claim 1. Presumably, Paul just uses a conventional deletion system, which 
deletes emails with a single delete button. These claimed three different forms of 
deletion are in no way taught or suggested by Paul. Therefore, claim 1 should be 
allowable for these reasons. 

Claims 14-16 should be allowable based on similar rationale. Specifically, claim 
14 defines a plurality of controls including at least a first control which selects deleting 
e-mail while indicating that the e-mail is spam, and a second control which selects 
deleting an e-mail while indicating that the e-mail is not spam. There is no teaching or 
suggestion of this in Paul, as noted above. While Paul does display an indication of 
whether the e-mail is spam or not, he teaches nothing about selection of deletion of an 
e-mail in these different ways. 
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Claim 16 should be even further allowable, as it defines yet a third way of 
deleting e-mail: specifically without determining whether the e-mail is spam or not. 
Therefore, each of these claims should be allowable for these reasons. 

Claims 23 and 24 should be allowable for similar reasons; as they define the 
technique of deleting an e-mail while defining, as part of the e-mail deletion process, 
whether or not the e-mail represents spam. 

Claim 21 should additionally be allowable, based on the following reasons. 
Specifically, claim 21 defines "forming a numerical score of the incoming message by 
comparing said incoming message with said list and determining commonalities... 
defining said message as likely being unwanted if the numerical score is within a 
predetermined range". In order to further define the patentable distinctions over the 
prior art, the word "numerical" has been added to claim 21; this FURTHER 
distinguishes over the references. 

Admittedly, Paul teaches filtering messages, but does so only based on an 
inclusion list, and characteristic criteria, see the top of column 9. The inclusion/ 
exclusion list is described beginning at column 3 line 54; and simply determines if the 
categories are there or not. Nowhere is there any teaching or suggestion of a 
numerical score in these references. 

Similarly, while heuristic processing is discussed according to rules, see for 
example column 9 beginning at line 32, there is no teaching or suggestion of a 
numerical score, as defined by these claims. 

Therefore, claims 21-22 should be additionally allowable for these reasons. 

Claims 8-13 have been canceled in order to obviate the rejections thereto. 
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Claims 2-7 stand rejected over Paul in view of McCorrnick. Each of these claims 
should be allowable by virtue of their dependence from allowable claim 1, the reasons 
for allowability of which have been described in detail above. 

It is believed that all of the pending claims have been addressed in this paper. 
However, failure to address a specific rejection, issue or comment, does not signify 
agreement with or concession of that rejection, issue or comment. In addition, because 
the arguments made above are not intended to be exhaustive, there may be reasons 
for patentability of any or all pending claims (or other claims) that have not been 
expressed. Finally, nothing in this paper should be construed as an intent to concede 
any issue with regard to any claim, except as specifically stated in this paper, and the 
amendment of any claim does not necessarily signify concession of unpatentability of 
the claim prior to its amendment. 

For all of these reasons, it is respectfully suggested that all of the claims should 
be in condition for allowance. A formal notice of allowance is hence respectfully 
requested. 
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Please charge any fees due in connection with this response to Deposit Account 
No. 50-1387. 



Date: 



Respectfully submitted, 




^^rf&tt C. Harris 
^ Reg. No. 32,030 



Customer No. 23844 
Scott C. Harris, Esq. 
P.O. Box 927649 
San Diego, CA 92192 
Telephone: (619)823-7778 
Facsimile: (858) 678-5082 



Attachment: Bass Reference 
Bayes Reference 
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ABSTRACT 

Prc-ini«:"rniatior. age military battlefields arc based cn the 
tradition?-. I tand. s«i, air, end space paradigm. Global 
intern?* workman i^ causal to the creation of a dangerously 
real :.lh f>imv*i.<ton of Warfare - Cyberspace. This paper 
describes an Internet basec a&jault, commonly referred 
to ai K-n*oz! span, on the Langley AFB internetwork- 
ing infrastructure. We discuss tbc cyber-attack, a frame- 
work fo; defending against the attack, and the results of 
the campaign! The countermeasure was accomplished by 
running the MTA in a mode which accepts and queues 
SMTP mail: processes the messages with a rules-based 
filter: and then forwards mail after filtering. The filtering 
framework is simple and effective for a large subset of e- 
mai! bombs. The prototype filter scripts may be obtained 
from i he authors. 

INTRODUCTION 

t.-jTKiii is "xv.'nsively used for the exchange of numerous 
typa. oi mcEr-agcs in the military environment. From low 
value qucsiiocs and staff summaries to messages border- 
ing on <:orr:rr.afiu and control, in every case the recipi- 
ent assume* the apparent originator is the actual person 
sending tiie message. It is often overlooked, however, 
how trivial it is tc impersonate a user or masquerade be- 
hind mail relays to send forged SMTP messages and mail 
bombs . 

Our cyber war began when we assumed the moral high- 
grouod and began stopping backers from using Air Force 
SMTP relays for the distribution of pornographic and 
bigoted hate mail. The hackers extracted their revenge 
by launching an e-mail attack of epic proportions; and 
statistics indicated that over 70 percent of the e-mail im- 
prisoned during the cyber-campaign was spam. During 
[nHJiy periods on the Internet battlefield,, approximately 
30,000 e-mail messages were captured per day. All im- 
prisoned messages wrre either ]>orriographie, malicious, 
or bigoted hale- mail in nature. 

This paper summarizes tbe virtual battle and the suc- 
cessful count ermeasures implemented during the SMTP 
cyber- at tack*. Our solution was a rules- based filtering 



utility thai., wijum 46 hours of implementation, shunted 
the attack anc frustrated our intet national Internet op- 
ponents. A summary chronology follows: 

Jan 5 Director receives first tor god e-mail 
Jan 21 Sendmail logging level increased 
Jan 23 SKTP prototype filter completed 
Jan 27 Filter report identifies large problea 
Feb 14 b'SAF assigned configuration control 
Max 04 SMTP nail relay crached 
Max 12 SMTP mail relay crashed by DOS attack 
ACC forme Tiger Teaa 
Commander Lt Col Watt 

Technical Management Kaj Grub«r 
Chief Scientist Kr. Bass 

Software Engineering Capt Fish 
Engineering Support Lt Baker 
Mar 12 Tiger Teaja repels first wave 
Mar 14 AFCERT Teas: yisits Langley AFB 
Max 18 Analysis of jail queue and logs 
Apr C3 Prototype filter enhanced by USAF 
Apr 09 USAF coins phrase BOMBSHELTER 
May 0& Hackers remove AFB from attack list 

PRELUDE TO WAR: A FORGED E-MAIL 

On Monday, 5 January 1997, 0830 hours, one of the au 
tbors received a phone call ordering him to report to 
his director's office. Prom the tone of the conversation 
something serious happened. The director was the latest 
recipient of malicious e-mail impersonating the sender. 
"clintonQti/hitehovse. gov. " 

The forged e-mail was inflammatory in nature and bor- 
dering on threatening, igniting an immediate quest to de- 
termine the source of the attack. The perpetrator used 
a widely exploited hole in the SMTP protocol requiring 
open access to port 25. The appendix hosts a brief sum- 
mary of the well known SMTP spoofing technique. 
At Langley AFB, a covert design effort was initiated to 
develop an e-mail filter to capture and process malicious 
and criminal spam. The chief scientist of the team de- 
veloped a prototype SMTP filtering program and archi- 
tecture, (Fig. 1) which initially identified 586 malicious 
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or "bogus SMTP message in the first 41 hour sampling, 
period. This, howe;vt;r. wa> only a smaJl indication of the 
severity of the e-mail spam problem uncovered on SMTP 
liosi. iri.si.aUai ions. 

The initial basis, for ideiUifying spam was a rules- based 
filter which delected the absence of the character in 
i he SMTP sencer address field. Below are examples of 
the first e-mail capture-:! by the filler, arranged by ihe 
forged [sender], 'content], and [number of messages; : 

a/eru sexually explicit, materia], 138 messages; 

Ivrwtg no content. 11 messages: 

aaaa a test. 1 mrsAag'ts: 

ycldic a test. 5 message?; 

webmaster prank message, 7 messages; 

doody prank message. 20 messages; 

/ you — hoi? prank message, 1 message; 

jfffre ca?e forged AO I. prank. 36 messages; 

Hwkey Cod prank message, 165 messages; 

organizer sexually explicit material, 53 messages* 

Concerned student politics. 10 messages; and 

J loo WrJi: prank message, £5 messages. 
Unknown v.* most Internet e-mail administrators. SMTP 
mail si*rvt*r> artr covertly used as platforms to relay ma- 
licious and criminal e-mail to users outside the in bended 
domain. The developed SMTP filter, stntpfilter.pl, cap- 
tured or copied all suspected ^ail during the relay process 
and stored complete message content, including SMTP 
header in formation. WY discovered that the number of 
spoofed e-mail addressed directly to recipients at Langley 
was small relative to mail covertly relayed to the rest of 
the world by hackers via the Langley SMTP servers. 
The original spam courjt, prior to the eyberwar escal- 
ation, was approximately 700 messages per day. Most 
of these e-mails contained sexually explicit, anti-Semitic 
or oilier unacceptable rr.essage content. E-mail backers 
were r*layiri!» mail via ur. protected USAF SMTP servers; 
in etfc;t-ii*;i\ '..-real i rig Grand Central Station* for porno- 
graphy and hate-mail. Pedestrian attempts to trace the 
e-rnail back to the 'originator' would falsely point to mil- 
itary establishments, creating numerous opportunities for 
media- based perception warfare. 

Forty-eight, hours after the original SMTP prototype fil- 
ter was opt* rational, har.<er bulletin boards were report- 
ing prohibits with the targeted mail relay. E-mail spam 
and mail bombs were no longer being successfully relayed 
through Langley as inte tided by hackers. At this point, 
our adversaries launched numerous mail bomb attacks at 
the SMTP relays. At on< point over 30, 000 captured mes- 
sages per day were received. This number would have 
been higher; however the steady-state congestion of the 
DoD Internet served as a pseudo cyber- buffer. 

The counter measure was to enhance the prototype SMTP 
filter to process a broader technical range of e-mail spam. 
A virtual Internet cavaod-mouse game of countermeas- 
ures and counter- counter measure occured as different 
rule-sets were implemented. The cyberwar had begun. 
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Deliver Mail 

Fij?. 1 . rroces* How Diagram for SMTP Kilter 

CYBERWARS 

Defensive information warfare has traditionally engaged 
a strategy advocating intrusion detection and limited pre- 
vention in response to covert activities designed to affect 
information systems. These activities generally include 
malicious software designed to activate after penetration 
and destroy, manipulate or retrieve official information. 

Our invisible Internet adversaries employed a far more 
simple and effective technique during Langley s cyber at- 
tack. In this battle, opponents used legitimate network re- 
sources as a precision guided weapon. E-mail was the spe- 
cific weapon of choice and SMTP was the delivery agent. 
Theae SMTP relays receive mail from other Internet mail 
sites with minimal, if any, restrictions. Sendmail config- 
uration fiie restrictions often delete forensic evidence or 
generate SMTP rejec; messages. Neither of these two 
results are acceptable options for highly successful and 
coven, cyber counter measures. 

During the initial filter prototyping phase, we copied and 
delivered all mail with the keyword 'whitehouse 7 in the 
hcadeT fields because it was theoretically possible that 
valid mail could come from "whitebouse.gov," This was 
the prototype of a queue which would become qcopy, 
which would be titilued to help refine additional filter 
rule-sete. All captured mail that was taken prisoner xvas 
stored in the jail queue, qjait. 

The prototype filter design also provided valuable inform- 
ation which assisted investigators discover the content 
type and origin of the spoofed mail. Trapping and jailing 
politically charged mail became a high priority as we un- 
covered pornography being relayed from servers on bases 
to pedestrian users in the commercial Internet. 
Concerns also mounted About the potential for ro«dia 
based information warfare. If the news media begin pub- 
lishing inaccurate articles with headlines including forged 
AFB e-mail addresses (and unknown to the public or the 
media) with controversial or politically charged content, 
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the reputation of L'SAF could be severely damaged. 
"I'SAF Dirtribuiing Pornography to AOL r 

Hypothetical Media Hype 

Covertly d.itribuiing pornography could cause uninten- 
ded adverse side-effects via. the news media which may or 
may m;t have fcten the primary objective of the informa- 
tion war nor. EuHy recognmur. of i.h* potential daivia^ by 
adwr**-- public opinion created the overarching strategy- a* 
the firtfi h-Vivy wave o: Internet j=p:«r. was shunted. 

Tin. Lacpiey AFB mail system averages 5000-t>00v files 
of 1— t!i:m.i:-* 'rMTP mail daily, most arriving «jvvr a 10 
hour jvn.'d. iJ:l 1 !ih jf March and vt;j;ai:i oc the I'Jth 
of Mwd: ID': 1 ?. oi;c mail aerver r^eived approximated 
? r >. , M I il '.k-'x*:*^'"- •villi::: S InViir^ Thr ovt-rwb^iiiiinc i:i<*l^s 
of sp:m: brought the legacy -ISS hase<i SMTP nail nrlay 
to a :-;;iiiplet': bait. The Interne; based cyber-artack was 
in ;u-l :Vir.-f aiiti tfpam vas targeted to an America On 
Line !AUI-} customer, using a. US At* post othce as a re- 
lay point. A /a^ual observer would come to the wrong 
tYrichis.:,ii iht* spam ori^iuau-tl front I.a.ng]r*y AFD 

nrhi n:i the true foreign origin. 

In tli*- *At\\ hours of the campaign, we observed that 
a majority of e-mail spam contained spoofed addresses 
without thr sign similar Lo the original SMTP spoof, 
described earlier Filtering and jailing messages with in- 
valid SMTP address format fortified our defenses and 
rejy-t'iU-;! the first wav« of the attack 

The hackers quickly adapted, created bogus address with 
raudoni ! »* symbols and were actively probing Lajiglsy 
AFB mati relays, to understand what countermeasures 
were being implementing. An analysis on the lltli of 
Murrii indicated the majority of th<: ?parr. came from 
s;u*> ?n 1,-aonia and Australia. Considering this informa- 
tion, we ihujTrd ail urtw< rk activity from \.U<ts* sites by a 
packet- filtering router located in front of Lhe mail server. 
Again, adversary adapted within '24 huurc and t^- 
sjn relaying span; from other DoD. US Government, aud 
commercial Hitc.i: with a technique wc refer to as cAut'i 
bombina. We could uot shunt this attack using packer- 
fitter ing renters without denying critical SMTP services 
to legitimate users. The hackers also started employing 
more sophihtkated techniques not generally associated 
with amateurs, including: 

1. Direct E-rnail Spam, 

2. Indirect F>mail Spam, 
o. itejeetcd L-rnail Spam. 

4. Chain Relay E-mail Spam, and 

5. Mailing List Spam. 

Direct spam came from the h Ackers bust system to the 
target via the port 25 hack described earlier. Indirect 
spam U e-mail bounced ofT another site needed to conduct 
^usiiiffs-i. Reject spam results from massive volumes of 
mail sent to undeliverabte addresses at Internet Service 
Providers (ISPs). The undeliverable messages generated 
rejection notices Lhat were returned to the forged sender, 
Langlcy AFB, or the reverse.. 



Chain relay spam, or chain bombing, works by linking to- 
gether the hr.-M a.i.ir<53-5 of SMTP relays, telling SMTP 
the ►rxavi [>H\U »>r <:!iain u> follow in transferring e-mail. 
T his is analogous to locust swarming from bush ic bush, 
destroying v^-iajion, along the path. In fact, some of 
the popular mm. bomb tools, e. g. Avalanchs, ha Boom, 
and Hp Yours h.td Lo.neley's mail relay hard coded into 
the software. The- final technique involved spam via elec- 
tronic mailing hsts. Hackers simply sign up a site to 
numerous elect roji-tuailing list exploders in order to in- 
crease thr Hrcvj o!>-ma:l tralfic. 

A coilvctiv.; -ir: : i-^\- -*\*\iion produced thr^e critical do- 
.:i>k*n- i.h.M .* ^ — — mitigated ilr.r ryberwar. 

1. Acqjir- Pr\ - «:e:»sor Maneuvering Room 

2. ConUr;:.v hiker and Ja:l Maul 

3. Train Oiv-?rato:s On Attack ID and Response 

First, we re:;ia;<. i m legacy 4^6 based relay with a high 
powered Pentium ^^rver. The- success of the remaining 
strategy hi us*-- l ^ requirement to process all the 
spam the ava.l::Wt? us: work handwid'-h could deliver with 
CP I" cycles temaming to implfrriwnt our filters and traps. 
Our softwan- .i-v.-iopment te.an: siuiuhaneuindy cuhanred 
die original prototype SMTP filter, later called BOMB- 
SHELTER. 

The technical strategy of the countcrmeasures against 
mail spoofing was simply to queue, incoming mail mes- 
sages, filttir tin- mail based on developed rules-sets, and 
forward the cluan maih Rule-sets triggered on informa- 
tion in the header control files of the mail messages. The 
message content was not used in the filtering process. All 
filtered mail was processed via one of two pat hi. Mail was 
cither sent to j«l. <ycxii t and not delivered, or copied intc ■ 
qcopij for furthrr analysis. Denying direct feedback to 
hacker? was oi.r ci.»riierstone strategy, referred to by the 
team as Black Jioitng spam. 

Trained syswrrj operators formed our third line of defense. 
.Sysicrn opcraiors received crash training ou recognizing 
when an attack was under way and what manual actions 
were necessary to avoid fntal system shutdown. Fortu- 
nately, oitr automated defenses worked and negated the 
need to put the final line of defense, caxbon-system inter- 
vention, to the test. 

The first engagement in this campaign ended with the 
team decision to deny feedback to the enemy. Our Black 
Hole strategy expanded; requiring zero reject notices for 
bogus e-mail, thus creating a situation where hacker e- 
niail destined for Langley AFB, or anywhere else, ter- 
minated in the Black Hole. 

THE HACKERS STRIKE BACK 

Battlefields in 5th dimensional warfare are different than 
traditional military theaters. Information warriors can 
coordinate attacks from the global virtual battlefield by 
communicating globally and immediately via the Inter- 
net. High grade encryption is universally available to 
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i:if'jri;iai:«jn warriors, further complicating effective coua- 

"Ha.:kfri :»ro analogous to global r.ats. They 
^■'■•'111 <»»SfL:i»T aiij really lug the victim."' 

- B ass 

I. anally AFlJ b'CHiii/.* a virtual informai.inn warfare bat* 
iMicki. Th*- barkers :]iii;k:y discovered simple filter rule- 
sets-, for cxamp:i> *h* symbol rule, and adapted with 
e-mail spa:ii i:»e&&n£?» i:i-::iuding pseudo random char- 
acters in Mir forged address*.*. However, th* defensive 
■.v:tir always r<^pw:i;d-H. establishing a covert cybcrfront 
w:'h ih - ir.i.i;iuii.-i-- jrouo of invisible global hackers. 
*IVrh".ir->l:>. f:ir •*::*) nrfrni^a.sur^s proved effectiv**. 
M >\w.r r ir'-n. ac. r-..'.:;cr;iic perspective the hackers Here 
win ni iii; A- .in v give;: i;k .tuejit. 2 ro 20 tedmicu) rv- 
soutv.'S £r:i^;r?d ; un\ytirj% jailed messages, refin 

int* lilt.*-.- rnks , r 'mim* I hi* filter engine. L\SAF senior 
management also was continually cubage;! coordinating 
iiifonnauoh a Lid munuginj; interested outside agencies. 
OfT-th'-shd: rnodiftcaticos to the Sendmail configuration 
file did not :u«vi tht- illicit Hole requirement set by the 
riirtn.i<: iii'.*i!: :<-:nn The software development team made 
numerous changes ic th»: s^ridmail configuration file; but 
in the Una! analysis, the process of queuing, filtering, 
and forwarding ?*-m^il proved the mom robust and tiex- 
ibk*. In fa<;t. rna;jv of the custom sendmail configuration 
mtes .v-mally df )e>*;i mail or created rejection messages. 
Neither option was acceptable to the management team 
under ; :t*: BUck Huh stiategy. Deleting spam automatic- 
al !> nnas-ceptable bt ovi5r, forensic /tvidchce would be 
destro>cd. Onrratirtg r »]ect messages has two problems. 
Kirvi h;i;:ki»r> a** given rapid fet^dback to ooun!,ermeas- 
ur** Final;/, r^.iect messages can be used as another 
sj>2;i:r:t;:if: if*."hniqi:e. as earlier described. 
The 5pfein attacks C'.;nu:vjrd, sometinKS peaking at over 
ISO, - * 00 mefsasos per cay. without any denial-of-service to 
ih-- A IB SMTP c-ii-.ail infrastructure. The constant bar- 
rage gave ri$** r,-- :he des ire, to "spam the hackers back!. r 
but Logic an:J disoipmie prevailed Throughout the t#am. 
Wc redoubled c»ur effort? to minimize all feedback in the 
cyb*r baUlespa.-^. 

REVENGE OF THE JEDI 

Brainsronimg sessions between the team members for 
improving the filter algorithm yielded numerous excellent 
ideas. Tut? hackers wen: adapting to new filter rule sets 
within 2 4 to -1£ hours. The most common spam element 
»va» r*:p*;altd c-rtiail spam with the same sender- receiver 
pairs This fact provided a successful indicator of hostile 
e-mail. We refined the filtering algorithm based on this 
observation and provided the programming requirements 
to the development team. This algorithm became a key 
element ir; mitigating numerous types of mail bombs. 

The software development team provided numerous en- 
hancements to the orig.nat filter prototype which resul- 
ted in reduced ccurtermeasures manpower and improved 



filter granularity. The prototype version of the filter > smf- 
pfilter.pl t-0.0, was conceived after numerous attempts to 
use the existing SMTP leg files to look for forged e-mail 
and filter the mail in ml time failed. The speed of the 
$endma:l process receiving and forwarding mail in real- 
time made queuing the messages prior to filtering ne- 
cessary. The additional iatency in the mail processing 
was actually ofTset by performance improvements in die 
SMTP infrastructure. 

In addition, by queuing the messages, the entire SMTP 
header file and control messages could be used in the 
filler process. This proved to be extremely valuable in 
*-he process of exammin^ mail bomb*, understanding the 
nature of the attacks, ^nc simultaneously insuring all e- 
mai! was correctly dolivorvd with minimal delay. 
Having secured thf network, our phase II analysis began 
to :ook at ways to pmvKfc identification and warning. 
Statistical process control gave us our first tool in this 
phase of the campaign. By calculating ratios of good vs. 
bad mail, calculating message averages and establishing 
statistically based uppsr and lower control limits, trends 
began to emerge !f tlir amount of jailed mail exceeds 
the established control limit, Langley AFB was under at- 
tack. Likewise, if the number of jailed messages dropped 
too tow, it. conic indir.are that our adversaries had broken 
through our defenses and were on the verge of overwhelm- 
ing the. SMTP infrastructure. 

The ratio of delivered vs. jailed e-mail led to another con- 
clusion. Bogus e-maii accounts for almost three quarters 
of all e-ruail entering Langley AFB. If the empirical data 
at Langley holds true for the rest of the OoD. substantial 
savings in bandwidth utilization might be possible by im- 
plementing similar filters throughout the DoD at strategic 
SMTP gateways. To verify this hypothesis, ACC plans 
to collect a large cioss section of data and is planning on 
releasing a cotitrc-lled ACC command wide version of the 
filtei for study purposes. 

CONCLUDING REMARKS 

Traditionally, military strategies include continental, 
maritime and aerospace schools. Land- power advocates 
follow the Clausewitzen strategies, maritime supporters 
the Mahan or Oorbett theories. Douhet, considered the 
patriarch of the aerospace school, initiated strategies for 
the air environment. Each classic school emphasizes ita 
unique decisive ability Co win the war. 5th dimensional 
warfare makes similar claims, but the battlespace is dif- 
ferent. Whereas land, sea, and air battles focus mainly on 
controlling a physical environment, information warfare 
is primarily political „ social and psychological. Our ex- 
ample in this paper clearly demonstrates the exploitation 
of an indirect cumulative strategy versus a direct sequen- 
tial one. Physical property is of minimal importance in 
5th dimensional warfare. 

The primary battles pace is the electronic manifestation 
or human mind -computer networks. Information domin- 
ance is a necessary new school of military strategy bet- 
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•:r »«n«.Ji:r:UooJ li o^inp *ii*n> liki: the one at LaueJcy. 
La/it;:'-t .>i.! i dii.jejisiurjal experience hiiS proved bentrh- 
•*i.Hi tlw I'SAF by helpir.^ the senior staff understand 
a/.-.i •!•.".*■-;. ;■. future rr.-M* and responsibilities fo: the iii- 
*".»rrii :»l v;irfar^ :»ai Llnlirtd. 

"I V:'- AvV Tiper Tc*»rri «rfT?cuv?iy suppressed die cover l 
distrotiiicn of pornographic material via on base mail 
t*A;\\ < by hu* , rn.*t oi£r.TiKur»*it> This situation, if underec- 
• J. ••oui-: have r-.'suhed in Lhdermininj: ibe credibility of 
•h- ^ A F \\V ;vj>o gained ;i first-hand undm tending of 
*. rv -:tl .iu:i ii:i:v.v % roii? :r:fonmticc warfare battlefield, 
"v ;/*}•"• -.iie(:y •-jvrJrnr'd wirh the rapid proto- 

;. [.■• d-:]:-iv> :-i';:it v=f i rules- based iiJtor one detailed 
am.'a i-M<- ibt- r-;mlespa"e was an effective lOLiHer- 

A C K N OW liEDGM ENTS 

!: 1 . > / n:hrr Jr.iHpr.shir. aud moral support 

■■:uriri£ -vir lato-ni^hi filter prototyping was the g!uc which 
l"-(Ujd '. iir :*a:u :ojether. A special t ha ft Its. U in order for 
I'SAF AFNVC i>:r*ooricl At Lan £*]«>* AFB fot providing 
acce*> to SMTP inv.il scr v*jrs to lest the filter. Jn addi- 
tion uj<- Computer Supper. Squadron (CSS) of HQ ACC 
added nui:ierou? enhancements and bug fixes to the ori- 
ginal prototype fiUrr code 

APPENDIX: SMTP MAIL BRIEF 

SMTP rn-ul fffpjirt-f? higher i^vrl mechanisms if trus* dv 
::r[v=iry is .1 rcr|uitv?mcn! [l]. Without these mechanisms 
a U impossible i(> r*xpli<ntJy det*rrroio* who ortgioawd the 
?M*7I' message. This is because SMTP is a very simple 
r::oi;.v.'l. as iKublral^d below. In 1994. CLreswic); and 
Hf*:l"\ 1:1 disc usee;* SMTP spoofing, stating: 

h; ; .«;kv-rs ie^rn these commands and ccca- 
:)*M\-d!y iyp-» th-irt by hiiriii." [lj 
SMTP *x-rh.-.ji[r*:5 7- bit ASCII text characters u^irte a very 
r»::i:ple prcloou! The sampic session below illustrates this 
simplicity from an example SMTP session. Arrows point- 
iut; to the left represent information from the. server and 
the right arrow represents the flow of inform ation initi- 
ated from th<e client. 

< 220 iap.ifip.cox ESMTP. . Sua. 26 Jan 1997.. 

> helc hacker . com 

< 260 i3p.i3p.coa Hello there!! 

> mail from; aackerCthe. groat 

< 250 aacke r«tae. great . Sender ok 

> rc.pt to; spyCuackex . club 

< 2&0 spyCh acker. club. . .Rcpt ok (queue) 

> Data 

< 3b4 Enter mail, end with ... 

-"> Execute plan B now. Tnat 'a an order! 

> . 

< — 250 JAA16273 Message accepted tor delivery 

Any method of creating a TCP connection can accom- 
plished the exchange above. One of the more simple ways 



is :o simply telnet (1) to an SMTP server and cconect 
to :hv purl o:" mi ?MTP servex uh;it is actively listening 
for incoming rotirr^-iior.s. 

APPENDIX: FILTER ARCHITECTURE 

The f?mv of pvens for the li:'t(;rir5 process was previously 
illustrated in ?\c. i. The SMTP server is started with 
the -odq switch /T. instrur.rinj* send mail tc; receive and 
quoue incominf 7n</uvue, only. The filler program 

i.s f.vfrCtJfr:; by •Ti>i'id{8) pn~c»-ssiiig die sendnirtil <"|ueue, 
by :ir: i ' trying al) messages in ihe queue to 
;ui*jth*:r dir».v..-r;. -aIio:^ filei may be processed. In- 
ccmiiig iriaii .xr.'.jnti-.'s ^_rrive iit mqucue and ihe filter 
program pro--'-. ->■■?■• *}w stapr.g queut. qprvecss. 
Tin- remain:].? i..~*?agr.s :u ^/^uy'as are moved tu another 
qu-ue. qclcfin. ir.d send mail forwards the mail by execut- 
ing with :h? ~j siv;tch. instructing the MTA to process 
tfy': mail <\iie.;ir- An"lh**r svviirh, — Q, is ufied to instruct 
send mail wh :: : u*:ue to process. For more technical de- 
tail j ou BOMH>HF.LTFK. pl*a*u coutact either or.e of 
t Ik* .xulKir^ vj.) -v^sii. 
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Air C ce oat Command 
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Simple Kail Transfer Protocol 
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Transmission Control Protocol 
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Bayesian filters 

The second wave of spam filters were based on the theories of Reverent Thomas 
Baycs (1701-1761). In short, his theory can be stated as 

The essence of the Bayesian approach is to provide a mathematical 
rule explaining how you should change your existing beliefs in the 
light of new evidence. 

That is, these filters operate by "learning" the trends in emails that you have 
identified to them as spam. They use this education in spam to identify evidence 
in future emails you recieve that suggest that they too might be spam. Bayes' rule 
proves to be extremely effective in weighing the evidence for and against a 
particular email being unsolicited email that you don't want to read. Unlike 
heuristic filters they have the advantage that they constantly evolve - every new 
email that is classified as spam is used to further educate the filter. In addition 
they are tailored to the particular type of email that you want to filter out. 

Bayesian filtering with Vlozilla Mail Recently, the Mozilla mail client was 
enhanced to include Bayesian filtering with an extremely easy to use interface. 
You just set up Mozilla as your mail client (instructions can be found in this 
support section), and every time you get a junk email, you just click the "this is 
junk email" button, and mozilla will use that as an example of the type of email it 
should consider as spam. Every time you get an email virus, do the same thing, 
and soon Mozilla will learn to carefullly file away all of your junk email and " 
email viruses. 
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